Just over a month after announcing it fell victim to one of the largest consumer data breaches ever, reports indicate that Equifax may have been hacked again. This time the potential hack does not involve compromised personal data but rather the company’s website redirecting visitors to other sites in an attempt to get them to download malware.

The newest alleged hack was discovered by Randy Abrams, an independent security analyst who was using Equifax’s site to contest false information on his credit report. Upon entering the site, Abrams noticed that his internet browser opened up an unfamiliar page that prompted him to download an Adobe Flash update. Being a security analyst, Abrams quickly identified the download as malware although other less computer sophisticated users may have been easily tricked. Abrams claims that he encountered the fraudulent Flash download on at least three later visits to Equifax’s site. However, since releasing images and video showing evidence of the malware, neither Abrams nor others have encountered the faulty download screen on Equifax’s site.

What makes this hack particularly troubling is the hard to detect nature of the malware allegedly used. According to reports, only 3 of 65 anti-virus providers tested were able to detect the malware if it was downloaded.

Upon learning about this incident Equifax took the affected web page offline out of what they called “an abundance of caution.” Equifax later stated that none of its systems were compromised and that the reported issue did not affect their online dispute portal as originally feared. Equifax claims that the issue was caused by code from a third-party vendor that Equifax uses to collect website performance data. This vendor was apparently running malicious malware code that was causing users to be re-directed. The code has since been removed and the site now no longer redirects its users.

This latest hack has left many baffled as to how Equifax could be involved in yet another hacking controversy so soon after the hack they announced in early September. In both cases, Equifax has tried to blame third parties for the breaches. In September, Equifax stated that the cause of the hack that compromised the personal information of 145 million consumers was a vulnerability in third party software the company was using on its site. Now Equifax is blaming a third party vendor for redirecting users to malware. It is clear that even if Equifax itself was not hacked this time, they must be much more vigilant in the future as to the security of third-party vendors and software they contract with.

With data breaches and hacks becoming more and more prevalent the need for proper cyber-security has never been higher. Institutions are encouraged to make sure that they have a cyber-security policy in place that is tested and updated regularly. Institutions should also be aware of what third party services they may be using on their websites, including those used to run ads, to ensure that those services are secure as well.

If you, or your organization, have any questions concerning cybersecurity, do not hesitate to contact Cynthia A. Augello at 516-357-3753 or via email at caugello@cullenanddykman.com.

Thank you to Ryan Soebke, a law clerk with Cullen and Dykman LLP, for his assistance with this post.